Find notable cyber news and cases, enriched with sources, timelines, and signals.

NGINX Plus and NGINX Open Source ngx_http_rewrite_module heap buffer overflow remote code execution flaw (CVE-2026-42945)

Vulnerability
First reported
Last updated
Happening score
H score 28
1 unique sources, 2 articles

Summary

Hide ▲

CVE-2026-42945 exposes a heap buffer overflow in NGINX Plus and NGINX Open Source through ngx_http_rewrite_module, creating risk of unauthenticated remote code execution or denial of service. The flaw is triggered by crafted HTTP requests under specific rewrite/PCRE capture conditions. F5 has issued fixes, and affected deployments should treat the issue as critical.

Related Happenings

NGINX web server critical flaws (multiple vulnerabilities)

Vulnerability
H score38 First: 18.06.2026 14:33 Last: 18.06.2026 14:33 Sources 1

About this happening: **NGINX** had two critical web server vulnerabilities, **CVE-2026-42530** and **CVE-2026-42055**, that can let **remote unauthenticated attackers** trigger **remote code execution...

NGINX and Apache HTTPD HTTP/2 Bomb mitigations

Advisory/Mitigation
H score46 First: 03.06.2026 11:33 Last: 03.06.2026 11:33 Sources 1

About this happening: Calif issued mitigation guidance for **NGINX** and **Apache HTTPD** operators after **HTTP/2 Bomb** was found to enable a **remote denial-of-service** against default HTTP/2 confi...

OpenDCIM multi-flaw exploitation wave (CVE-2026-28515, CVE-2026-28516, CVE-2026-28517)

Exploitation Wave
H score46 First: 17.05.2026 14:57 Last: 17.05.2026 14:57 Sources 1

How related: The cluster of attacker activity we're observing so far originates from a single Chinese IP and uses what appears to be a customized implementation of AI vuln discovery tool Vulnhuntr to automatically check for vulnerable installations before dropping a PHP web shell,

About this happening: **openDCIM** is seeing an **active exploitation wave** tied to **CVE-2026-28515**, **CVE-2026-28516**, and **CVE-2026-28517**, with attackers targeting vulnerable installations an...

NGINX rewrite-rule workaround for CVE-2026-42945

Advisory/Mitigation
H score23 First: 14.05.2026 18:43 Last: 14.05.2026 18:43 Sources 1

How related: For those unable to upgrade, F5 recommends replacing unnamed PCRE capture groups ($1, $2, etc.) in vulnerable ‘rewrite’ rules with named captures, which eliminates the main exploitation prerequisite.

About this happening: **F5** issued a **workaround** for vulnerable **NGINX rewrite rules**, reducing exposure to **CVE-2026-42945** for operators who cannot upgrade immediately. The guidance replaces...

CISA KEV patch directive for CVE-2025-53521

Advisory/Mitigation
H score86 First: 30.03.2026 10:07 Last: 30.03.2026 10:07 Sources 1

About this happening: CISA added **CVE-2025-53521** to its **KEV catalog** and told **federal agencies** to patch the F5 BIG-IP flaw within **three days**. The directive is urgent because the bug is be...

Timeline

  1. 14.05.2026 09:00 2 articles · 1mo ago

    Responsible disclosure and fixes for CVE-2026-42945

    Mitigation Patch Update

    F5 addressed CVE-2026-42945 after responsible disclosure on April 21, 2026, with fixes introduced in NGINX Plus R32 P6 and R36 P4 and in NGINX Open Source 1.30.1 and 1.31.0; if immediate patching is not possible, affected rewrite directives should replace unnamed PCRE captures with named captures.

    Show sources
  2. 14.05.2026 09:00 1 articles · 1mo ago

    Public disclosure of multiple NGINX vulnerabilities

    Initial Disclosure

    Cybersecurity researchers and F5 publicly disclosed multiple vulnerabilities in NGINX Plus and NGINX Open Source on May 14, 2026, led by CVE-2026-42945 / NGINX Rift, a critical heap buffer overflow in ngx_http_rewrite_module that can allow unauthenticated remote code execution or denial of service through crafted HTTP requests under specific rewrite and PCRE capture conditions; the advisory also listed CVE-2026-42946, CVE-2026-40701, and CVE-2026-42934.

    Show sources